Ensuring data protection rights in 2020 & beyond

On the occasion of the publication of the EDPB’s 2020 Annual Activity Report, we checked in with EDPB Chair Andrea Jelinek and asked her some questions about the EDPB’s work in 2020 and where the EDPB’s headed next.

Q: 2020 has certainly been a busy year for the EDPB. According to you, what were the EDPB's main achievements last year?

A: One of the things that stood out was our ability to respond quickly to the reality during the pandemic and to recent developments in the realm of data protection such as the Schrems II ruling. The EDPB did not hesitate and immediately set to developing guidance to respond to the situation at hand. All while dealing with the challenges that came with working remotely.

As you can see in the 2020 Annual Activity Report, the EDPB’s workload increased significantly during 2020. In 2020, we adopted 10 guidelines and 32 Art. 64 GDPR consistency opinions. In addition, we successfully concluded the first dispute resolution procedure on the basis of Art. 65 GDPR. In February 2020, the EDPB contributed to the European Commission’s two-year review of the GDPR.

The EDPB also published its ‘One-Stop-Shop’ decision register online, which gives companies real case examples to guide their respective privacy project implementations.

I’m happy to note that our increased workload did not result in a lower quality of work. Most stakeholders participating in the 2020 stakeholder survey found the EDPB Guidelines and Recommendations to be helpful in interpreting the GDPR and/or to provide actionable guidance for their activities.

All our work was made possible thanks to the ceaseless efforts of everyone within the EDPB and the EDPB Secretariat, in spite of the challenges that came with the COVID-19 pandemic.

Q: 2020 was a challenging year for many reasons, how did the global pandemic impact the work of the EDPB? Aside from the pandemic, what were the main challenges the EDPB was faced with?                          

A: The pandemic and the subsequent lockdowns significantly altered how we live and work. In the first place, this meant adapting to the reality of working remotely and keeping the EDPB work going forward. At the same time, the pandemic brought into question our fundamental rights and interests, including our rights to privacy and data protection in light of the health crisis.

It’s important to note that the 2020 lockdowns did not result in a slowdown of EDPB activities. Rather the opposite, EDPB work increased exponentially during the months of lockdown. The EDPB Secretariat organised a substantially high number of meetings in 2020. In total, the EDPB held 27 plenary and 145 expert subgroup meetings, as well as 96 drafting team meetings with the rapporteurs of EDPB documents. In comparison, in 2019 the EDPB held 11 plenary and 90 expert subgroup meetings.

The potential effects of the pandemic on data subjects’ rights called for an immediate response. EEA Member States began taking measures to monitor, contain and mitigate the spread of the virus. Many of these measures involved the processing of personal data, As such, the EDPB quickly developed guidance on, amongst others, location and contact tracing apps; processing health data for scientific research; restrictions on data subject rights in a state of emergency; and data processing in the context of reopening borders. 

Aside from the topics concerning the pandemic, the first Art. 65 decision was an interesting challenge for the EDPB. This was the first time the dispute resolution mechanism was triggered, which brought with it a number of procedural and technical challenges. Nevertheless, the procedure worked without any glitches and within the foreseen timeline. It was an interesting and important procedure to carry out this first dispute resolution exercise. We achieved our goal to meet the deadline of 2 months (no easy feat with 32 entities around the table) and to ensure the consistent application of the law.

Q: What do you consider the most important data protection developments in the past year?

A: Apart from the impact of the COVID-19 pandemic on privacy and data protection, that would be Schrems II. The EU Court of Justice ruling in Schrems II had a significant impact on data exporters and on any entity involved in international transfers of personal data worldwide. The judgment has wide-ranging implications for EEA-based entities and was unprecedented in many ways. The EDPB immediately responded by developing an FAQ document to provide further clarifications, which was later complemented by the EDPB Recommendations on Supplementary Measures, which are currently being finalised following public consultation.

The EDPB believes that the CJEU’s judgment in Schrems II highlights the importance of the fundamental right to privacy in the context of the transfer of personal data to third countries and the risk for data subjects caused by possible indiscriminate access by a third country’s public authorities to the personal data transferred.

Q: A few days ago, the GDPR turned 3. How do you look back on the EDPB's work in the last 3 years?

A: This is the third year of the EDPB being in operation. In that time, we have made significant progress in many areas. Since the entry into application of the GDPR, the EDPB as a new decision-making EU body has adopted 39 sets of guidelines to clarify fundamental provisions of the GDPR, as well as 90 consistency opinions to ensure a consistent application of the law throughout the EEA. We have also advised the legislator on a number of important topics, such as adequacy decisions and the Digital Green Certificate.

Our experience with implementing the GDPR is encouraging and the Supervisory Authorities (SAs) give positive reports on the GDPR. The new cooperation duties imply that many exchanges between the SAs take place on a daily basis - as they work together on several hundred cross-border cases at a time. The SAs signal that they appreciate the value of these exchanges with their colleagues and believe that this cooperation is crucial for the success of the GDPR.

For the third year in a row, the EDPB received positive feedback from stakeholders on its work, with a majority indicating that they find our documents helpful. Stakeholders are keen to engage with us via our stakeholder workshops. They are open to sharing examples from their daily practice to help us make sure the EDPB addresses and clarifies the issues they have to deal with when implementing the GDPR.

Q: Looking ahead at 2021, could you already shed some light on the major projects that are ahead?

A: Earlier this year, the EDPB adopted a new bi-annual work programme, which builds on the EDPB 2021-2023 Strategy. Some of the guidance included in this work programme for the next two years is aimed at further streamlining cross-border enforcement of data protection law. The work programme matches the priorities set out in the Strategy, and provides an overview of the work and sets clear priorities.

The EDPB Strategy 2021-2023 was built upon four main pillars: advancing harmonisation and facilitating compliance; supporting effective enforcement and efficient cooperation between Supervisory Authorities; a fundamental rights approach to new technologies; and the global dimension. These pillars lay the foundation for the EDPB’s upcoming activities and will help prioritise the resources allocated to these in the following three years.

In line with the work programme, the EDPB will develop further guidance on key notions of EU data protection law, such as data subject rights and legitimate interest, and will invest increased efforts and resources to stimulate the development of compliance tools, such as codes of conduct and certification.

Next, the EDPB will support effective enforcement and efficient GDPR cooperation. It will develop guidance on some of the key articles relating to the cooperation and consistency mechanisms. The EDPB will also implement a Coordinated Enforcement Framework to facilitate joint actions in a flexible and coordinated manner. In addition, the EDPB is launching a pilot for a Support Pool of Experts to promote solidarity between national authorities by sharing experts for investigations and enforcement activities of significant common interest.

Naturally, the EDPB will continue to pay a great deal of attention to the international transfers of data. Furthermore, the EDPB will address matters related to new technologies, such as Blockchain and the use of facial recognition technologies.

Q: Is there anything you would like to add?

A: Since May 2018, and even well before that, we have constantly been trying to improve the implementation of the GDPR to ensure that the law achieves its intended results, namely an equally high level of data protection everywhere in the EEA. As we look forward to 2021, we will strive to contribute to a common data protection culture that ensures individuals enjoy a robust protection of their data protection rights.

The 2020 Annual Report is available here: https://europa.eu/!tV39tT